Written by The PCI DSS v4.0 compliance deadline is fast approaching, and charities handling online donations must act now to meet stricter security requirements. These changes aim to protect donor data, prevent fraud, and strengthen payment security.
At goDonate, we’re working with 3B Data Security to help charities navigate these updates. Here’s what you need to know.
Why PCI DSS Matters for Charities
PCI DSS (Payment Card Industry Data Security Standard) applies to any organisation accepting card payments, including charities using platforms like Stripe, PayPal, or WorldPay.
Key Changes in PCI DSS v4.0
1. Third-Party Script Management (Google Tag Manager – GTM)
Risk: Unmanaged scripts in GTM can be exploited by hackers to steal donor payment details.
New Requirement: Charities must audit, authorise, and continuously monitor all third-party scripts on donation pages.
What to do:
✅ Audit your scripts within GTM, remove unnecessary ones and document the scripts including the business case.
✅ Implement a script approval process & weekly monitoring.
✅ Consider outsourcing script compliance (available via goDonate).
2. Website Monitoring & Change Detection
Risk: Hackers can modify donation pages to redirect payments or steal donor data.
New Requirement: Websites handling donations must be monitored weekly for unauthorised changes.
What to do:
✅ If you use a donation platform, ask your provider if they have this service in place so you don’t need to implement (we do). If not:
✅ Set up automated monitoring tools to detect and log all changes.
✅ Set up alerts for unauthorised modifications.
What Happens if You Don’t Comply?
❌ Hefty fines & penalties
❌ Potential loss of donor trust & reputational damage
❌ Increased risk of fraud & security breaches
How goDonate is Supporting Charities
🔹 We now offer a Managed Script service for clients, so you don’t have to.
🔹 We’re rolling out a Change & Tamper Detection Solution to monitor donation pages.
🔹 For non-clients, ensure your provider has a PCI compliance strategy and are specifically meeting these requirements —or switch to a secure, compliant donation platform.
Need help? Contact goDonate at hello@godonate.digital or 3B Data Security at info@3bdatasecurity.com.
A copy of the recent webinar we did covering these changes is available upon request, email us for the link.
Act now to protect donor data & ensure compliance before the 1st April deadline.
UPDATE FEB 2025:
The PCI Council made an update on 30th Jan 2025to remove Requirements 6.4.3 and 11.6.1 for payment page security but then added in another eligibility criteria which requires you to state you have confirmed that your site is not susceptible to script attacks. So the only real way to confirm that you are not susceptible to script attacks is by implementing something to manage, monitor and report on the scripts used on the site. Therefore our recommendation is to proceed with the advice given above.